Configuring Kaspersky Endpoint Agent settings

This section describes how to configure Kaspersky Endpoint Agent settings.

See also Managing Kaspersky Endpoint Agent policies Managing Kaspersky Endpoint Agent tasks

In this Help section Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring Kaspersky Endpoint Agent policy type Configuring KSN usage in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring storage settings in Kaspersky Endpoint Agent Configuring failure diagnosis

Page top

Opening Kaspersky Endpoint Agent settings window

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To open the Kaspersky Endpoint Agent policy settings window:

1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
2. Select the policy you want to configure.
3. In the <Policy name> window that opens, select the Application settings tab.

To open the Kaspersky Endpoint Agent settings window for an individual device:

1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
2. Select the device.
3. In the <Device name> window that opens, select the Applications tab.
4. Select Kaspersky Endpoint Agent.
5. In the window that opens, select the Application settings tab.

   If an active Kaspersky Security Center policy is applied to a device and blocks changes to the application settings, these settings cannot be edited in the Application settings window, except for the network isolation settings.

   The settings of automatic network isolation can be configured in the policy properties, and the settings of network isolation on demand (manually enabled settings) can be configured in the properties of an individual device.

Page top

Configuring Kaspersky Endpoint Agent security settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To ensure maximum security of the IT infrastructure in your organization, you can configure access of users and third-party processes to Kaspersky Endpoint Agent. To do so, you can:

• Restrict user permissions to manage the application settings and services.
• Password protect actions in the application.
• Enable the application self-defense mechanism.

See also Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring Kaspersky Endpoint Agent policy type Configuring KSN usage in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring storage settings in Kaspersky Endpoint Agent Configuring failure diagnosis

In this Help section Configuring user permissions Enabling Password protection Enabling and disabling Self-Defense

Page top

Configuring user permissions

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can grant access to Kaspersky Endpoint Agent to individual users or groups of users. As a result, only specified users will be able to manage settings or services of the application.

To configure user permissions:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. In the User permissions for application service management group of settings, click the Configure button next to the name of the required setting (User permissions for application management or Configure user permissions for application management).

   To add users and user groups, specify the security descriptor strings using the

   Security Descriptor Description Language (SDDL)

   Example: (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) Access Type: Access Granted Access permissions: Create all child objects|Delete all child objects|Display contents|All validated write operations|Read all properties|Write all properties|Delete subtree|Display objects|All extended permissions|Delete|Read permissions|Change permissions|Change owner Trusted user: Local System Account

   For more information about Security Descriptor Description Language (SDDL), refer to Microsoft Knowledge Base.

   .

4. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
5. Click OK.
6. Click the Save button.

See also Enabling Password protection Enabling and disabling Self-Defense

Page top

Enabling Password protection

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Unrestricted user access to the application and its settings can reduce the security level of the device. Password protection is a means to limit user access to the application.

To enable password protection:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. In the Password protection group of settings select the Apply password protection check box.
4. Enter a password and confirm it.

   It is recommended to select a password that meets the following requirements:

   • The password must be at least 8 characters long.
   • The password must not contain the user's account name.
   • The password must not match the name of the device on which Kaspersky Endpoint Agent is installed.
   • The password must contain characters from at least three of the following groups:
     • uppercase characters (A-Z);
     • lowercase characters (a-z);
     • numbers (0-9);
     • special characters (!$#%).
5. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
6. Click OK.
7. Click the Save button.

Password protection is now enabled. If a user attempts to perform a password protected action, the application will prompt the user to enter the password.

The application does not check the strength of the specified password. We recommend that you use third-party tools to verify the strength of the password. The password is considered strong enough if verification results confirm that the password cannot be guessed for at least 6 months.

The application does not prohibit login attempts after many attempts of entering an incorrect password.

See also Configuring user permissions Enabling and disabling Self-Defense

Page top

Enabling and disabling Self-Defense

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The Self-Defense mechanism of Kaspersky Endpoint Agent provides protection from malware that tries to lock or delete the application. The Self-Defense mechanism prevents the alteration or deletion of application files on the hard drive, memory processes, and entries in the system registry.

To enable or disable Self-Defense:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. In the Self-defense group of settings, enable or disable the Enable self-defense for application modules in memory setting.
4. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
5. Click OK.
6. Click the Save button.

The Self-Defense mechanism is now enabled or disabled.

See also Configuring user permissions Enabling Password protection

Page top

Configuring Kaspersky Endpoint Agent connection settings to a proxy server

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Proxy server connection settings are used for updating databases, activating the application, and external services.

If you want to Use proxy server with the specified settings when connecting to KATA, Kaspersky Industrial CyberSecurity for Networks or Kaspersky Sandbox server, make sure that the Connect using the proxy server if specified in the general settings option is selected when configuring integration with KATA, Kaspersky Industrial CyberSecurity for Networks or Kaspersky Sandbox. This option is not selected by default.

To configure proxy server connection settings:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. Select one of the following proxy service usage options:
   • Do not use proxy server.
   • Automatically detect proxy server address.
   • Use proxy server with specified settings.
4. If you select the Automatically detect proxy server address option, the proxy server for further telemetry transmission will be detected automatically.
5. If you select the Use proxy server with specified settings option, specify the address and port of the proxy server you want to connect to in the Server name or IP address and Port fields.

   The default port number is 8080.

6. If you want to use NTLM authentication to connect to the proxy server:
   1. Select the Use NTLM authentication by user name and password check box.
   2. In the User name field, enter the name of the user, whose account will be used for proxy server authentication.
   3. In the Password field, enter the password for connecting to the proxy server.

      You can make password characters visible by clicking Show to the right of the Password field.

7. If you do not want to use the proxy server for internal addresses of your organization, select the Bypass proxy server for local addresses check box.
8. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
9. Click OK.
10. In the policy properties window, click Save.

Proxy server connection settings are now configured.

See also Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring Kaspersky Endpoint Agent policy type Configuring KSN usage in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring storage settings in Kaspersky Endpoint Agent Configuring failure diagnosis

Page top

Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To enable usage of Kaspersky Security Center as a proxy server for the application activation:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Security settings subsection.
3. In the Licensing group of settings, select the Use Kaspersky Security Center as a proxy server when activating the application check box.
4. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
5. Click OK.
6. In the policy properties window, click Save.

Kaspersky Security Center usage as a proxy server for Kaspersky Endpoint Agent activation is now enabled.

Page top

Configuring Kaspersky Endpoint Agent policy type

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Selecting Kaspersky Endpoint Agent's policy type is necessary in order for the list of settings displayed in the policy to correspond to the selected Kaspersky Endpoint Agent deployment method.

To configure the policy type:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Application settings section select the Management and interface subsection.
3. In the window that opens, select the required Kaspersky Endpoint Agent deployment method by selecting the appropriate check boxes:
   • Integration with Kaspersky Sandbox
   • Endpoint Detection and Response Optimum
   • Endpoint Detection and Response Expert (KATA EDR), Kaspersky Industrial CyberSecurity for Networks

   Policy type and integration with Kaspersky Sandbox and KATA EDR cannot be selected in Kaspersky Security Center Cloud Console.

4. Click ОК.

The policy type has been changed. The policy contains the settings for the selected Kaspersky Endpoint Agent deployment method.

Page top

Configuring KSN usage in Kaspersky Endpoint Agent

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To protect your computer more effectively, Kaspersky Endpoint Security uses data received from users around the globe. Kaspersky Security Network is designed to receive this data.

Kaspersky Security Network (KSN) is an infrastructure of cloud services that provide access to the online Kaspersky Knowledge Base that contains information about the reputations of files, web resources, and software. The use of data from Kaspersky Security Network ensures faster responses by the

to objects that are not yet listed in anti-virus application databases, improves performance of some protection components, and reduces the likelihood of false positives.

Participation in Kaspersky Security Network allows Kaspersky to quickly acquire information about the types and sources of objects that are not yet listed in anti-virus application databases, develop methods for neutralizing such objects, and reduce the number of false positives.

When you use Kaspersky Security Network, certain statistical data collected while Kaspersky Endpoint Agent is running is automatically sent to Kaspersky. Files, or parts of files, that may be exploited by intruders to harm the computer or data can be also sent to Kaspersky to be further examined.

No personal data is collected, processed, or stored. The types of data that Kaspersky Endpoint Agent sends to Kaspersky Security Network are described in the KSN Statement.

Participation in Kaspersky Security Network is voluntary. KSN usage is disabled by default. After enabling KSN usage, you can disable this option at any time.

Starting from version 3.10,

(also referred to as KMP) usage cannot be configured by means of Kaspersky Endpoint Agent. If usage of the KMP service was enabled in the previous Kaspersky Endpoint Agent version, the KMP service continues functioning after the application is updated to version 3.10 and later. After the application update, you can disable the KMP service only using Kaspersky Endpoint Agent Administration Plug-in or Kaspersky Endpoint Agent Web Plug-in of versions earlier then 3.10.

To enable KSN usage:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Kaspersky Security Network section, click the Read terms and conditions of the KSN Statement link and perform the following actions:
   1. In the right part of the window, review the terms and conditions of the KSN Statement.
   2. If you agree with terms and conditions of the Statement, select the I confirm that I have fully read, understood, and accept the terms and conditions of this Kaspersky Security Network Statement check box.
   3. Click OK.
3. Select the Enable Kaspersky Security Network usage check box.
4. If you want to use Kaspersky Security Center for telemetry transmission, select the
   Use Kaspersky Security Center as a KSN proxy server

   

   This check box allows you to control data transmission from protected devices to KSN.

   If the box is selected, all data is sent to KSN via Kaspersky Security Center.

   If the check box is cleared, data from the Administration Server and protected devices are sent to KSN directly, bypassing Kaspersky Security Center. The active policy determines what type of data is sent directly to KSN.
   The check box is selected by default.

   check box.
5. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
6. Click OK.
7. In the policy properties window, click Save.

KSN usage is enabled.

See also Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring Kaspersky Endpoint Agent policy type Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring storage settings in Kaspersky Endpoint Agent Configuring failure diagnosis

Page top

Configuring integration between Kaspersky Endpoint Agent and KATA Central Node

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section contains information on how to configure integration between Kaspersky Endpoint Agent and the KATA Central Node component using the Kaspersky Security Center Web Console.

In this Help section Configuring data submission settings Configuring request throttling settings Enabling and disabling integration with KATA Central Node Configuring trusted connection with KATA Central Node Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

Page top

Configuring data submission settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure data submission settings:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Telemetry collection servers section, select the General settings subsection.

   The General settings window opens.

3. In the Data submission settings group, do the following:
   • Specify the value in the Events transmission period (sec.) field.
   • Specify the value in the Maximum number of events in a package field.
4. In the upper right corner of the settings group, change the switch from Undefined to Enforce.

   The default switch position is Enforce.

5. Click OK.

See also Configuring request throttling settings Enabling and disabling integration with KATA Central Node Configuring trusted connection with KATA Central Node Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

Page top

Configuring request throttling settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

The request throttling feature allows restricting the flow of events with low importance from Kaspersky Endpoint Agent to the Central Node component.

To configure the request throttling settings:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Telemetry collection servers section, select the General settings subsection.

   The General settings window opens.

3. In the Request throttling group of settings, you can perform the following actions:
   • Select or clear the Enable request throttling check box to enable or disable the feature.

     This feature is enabled by default.

   • Specify the value in the Maximum number of events per hour field.

     The application analyzes telemetry data flow and restricts transmission of events with low importance if the number of transmitted events tends to exceed the value specified in this field. The default value is 3000 events per hour.

   • Specify the value in the Percentage of event limit excess field.

     If the flow of events of the same type with low importance exceeds the threshold value specified in this field as a percentage of the total number of events, transmission of events of this type is restricted. You can specify a value from 5% to 100%. The default value is 15%.

4. In the upper right corner of the settings group, change the switch from Undefined to Enforce.

   The default switch position is Enforce.

5. Click OK.

Page top

Enabling and disabling integration with KATA Central Node

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

If you use Nginx as a proxy server between a device with Kaspersky Endpoint Agent installed and KATA server, configure the client_max_body_size setting. The value of the client_max_body_size setting must be equal to the maximum size of the object sent by Kaspersky Endpoint Agent to KATA for processing. Otherwise, Nginx will not send objects whose size exceeds the specified value. The default value is 1 MB.

To enable or disable integration with the KATA Central Node component:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Telemetry collection servers section, select the Integration with KATA subsection.

   The KATA integration window opens.

3. In the Connection settings group, do one of the following:
   • To enable integration with KATA Central Node:
     1. Select the Enable KATA integration check box.
     2. In the List of KATA servers settings group, for one or more KATA servers, specify the IP address or full domain name of the KATA server, as well as the port for connecting to the server.

        Kaspersky Endpoint Agent connects to the first server in the list. If the connection does not succeed, Kaspersky Endpoint Agent connects to the second server and so on down the list.

   • To disable integration with KATA Central Node, clear the Enable KATA integration check box.
4. Enable or disable the Connect using the proxy server if specified in the general settings option.

   This option is disabled by default. The application connects to the KATA server only directly and does not use the general proxy server connection settings. You can enable this option if you want the application to use the general proxy server connection settings when connecting to the KATA server.

5. In the upper right corner of the settings group, change the switch from Undefined to Enforce.

   The default switch position is Enforce.

6. Click OK.

Integration with KATA Central Node is enabled or disabled.

See also Configuring data submission settings Configuring request throttling settings Configuring trusted connection with KATA Central Node Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

Page top

Configuring trusted connection with KATA Central Node

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure trusted connection between Kaspersky Endpoint Agent and KATA Central Node, perform the following actions on Kaspersky Endpoint Agent side:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Telemetry collection servers section, select the Integration with KATA subsection.

   The KATA integration window opens.

3. In the Connection settings group, select the Use pinned certificate to protect connection check box.
4. Click the Add new TLS certificate button.

   The window for adding a new TLS certificate opens.

5. Perform one of the following actions to add a TLS certificate:
   • Add a certificate file. Click Upload, and in the window that opens, select the certificate file and click Open.
   • Copy and paste the contents of the certificate file to the TLS certificate data field.

   Kaspersky Endpoint Agent may have only one KATA server TLS certificate. If you have added a TLS certificate before and then add a TLS certificate once again, only the last added certificate is valid.

6. Click OK.

   Information about the added TLS certificate is shown in the TLS certificate data group of settings.

7. If you want to configure additional connection protection by a user certificate, do the following:
   1. Select the Secure connection with the client certificate check box.
   2. Click the Load Crypto-container button.
   3. In the window that opens select the PFX archive and click Open.
   4. In the Crypto-container password field, enter the password for the PFX archive.
   5. Click OK.
8. In the upper right corner of the settings group, change the switch from Undefined to Enforce.

   The default switch position is Enforce.

9. Click OK.

A Trusted connection to the KATA server is now configured.

The TLS certificate file must satisfy the following requirements:

• The file must contain the certificate itself and a private encryption key for the connection.
• The file must be in PEM or DER format.
• The private key length must be 2048 bits or longer.

For more details about preparing TLS certificates for import, refer to OpenSSL documentation.

See also Configuring data submission settings Configuring request throttling settings Enabling and disabling integration with KATA Central Node Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

Page top

Configuring synchronization settings between Kaspersky Endpoint Agent and KATA Central Node

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure synchronization settings between Kaspersky Endpoint Agent and KATA Central Node:

1. Open the policy properties window.
   1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
   2. Select the policy you want to configure.
   3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Telemetry collection servers section, select the Integration with KATA subsection.

   The KATA integration window opens.

3. In the Additional settings group, configure the following settings:
   • Timeout (sec.). Specify the maximum KATA server response timeout. The default value is 10 seconds.
   • Send synchronization request to KATA server every (min.). Specify the time interval for sending requests for synchronization Kaspersky Endpoint Agent settings and tasks with KATA Central Node. You can specify a value from 1 to 60 minutes. The default value is 5 minutes.
   • Select or clear the Use TTL period when sending events check box. The check box is cleared by default.

     If the check box is selected, Kaspersky Endpoint Agent does not send information about the processes that are started again to the KATA server. Kaspersky Endpoint Agent does not consider the launch of the process as repeated if the process is started after the end of the TTL period.

   • If you select the Use TTL period when sending events check box, specify the time in the TTL period (min.) field. The default value is 1440 minutes.
4. In the upper right corner of the settings group, change the switch from Undefined to Enforce.

   The default switch position is Enforce.

5. Click OK.

See also Configuring data submission settings Configuring request throttling settings Enabling and disabling integration with KATA Central Node Configuring trusted connection with KATA Central Node

Page top

Configuring EDR telemetry settings

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section contains information on how to configure:

• Exclusions

  Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.

  Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.

  Set of settings joined by a logical AND, which Kaspersky Endpoint Agent uses to not analyze and send EDR telemetry.

  for EDR
  telemetry

  Data that Kaspersky Endpoint Agent analyzes on the protected device and sends to the Telemetry collection server. Telemetry is a list of events that occurred on the protected device.

  Data that Kaspersky Endpoint Agent analyzes on the protected device and sends to the Telemetry collection server. Telemetry is a list of events that occurred on the protected device.

  about application processes, which Kaspersky Endpoint Agent processes and sends to a server with the KATA Central Node or Kaspersky Industrial CyberSecurity for Networks component.
• Optimization of the volume of EDR telemetry that Kaspersky Endpoint Agent processes and sends to a server with the Kaspersky Industrial CyberSecurity for Networks component.
• Exclusions for EDR telemetry about network communications, which Kaspersky Endpoint Agent processes and sends to a server with the Kaspersky Industrial CyberSecurity for Networks component.

In this Help section Enabling and configuring exclusions for and optimization of sent EDR telemetry about application processes Enabling and configuring exclusions for sent EDR telemetry about network communications

Page top

Enabling and configuring exclusions for and optimization of sent EDR telemetry about application processes

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can enable and configure exclusions for and optimization of EDR telemetry about application processes using Kaspersky Security Center Web Console, in the properties of an individual device or in the policy settings for a group of devices.

Exclusions for EDR telemetry about application processes are available when Kaspersky Endpoint Agent is integrated with servers where KATA Central Node or Kaspersky Industrial CyberSecurity for Networks is installed.

Kaspersky Endpoint Agent does not analyze or send data on excluded application processes to the server with KATA Central Node or Kaspersky Industrial CyberSecurity for Networks installed.

Optimization of the volume of EDR telemetry about application processes can be managed (enabled / disabled) when Kaspersky Endpoint Agent is integrated with servers where Kaspersky Industrial CyberSecurity for Networks is installed.

If optimization of the volume of EDR telemtry is enabled, Kaspersky Endpoint Agent does not send events with 102 (basic communications) and 8 (network activity of a process) codes for the Microsoft SMB protocol and the Network Agent process klnagent.exe regarding processes of applications on a server where KATA Central Node or Kaspersky Industrial CyberSecurity for Networks is installed.

To enable and configure exclusions for and optimization of the volume of EDR telemetry on application processes:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the EDR telemetry section, select Excluded processes.

   The Excluded processes window opens.

3. In the Exclusions settings group, enable the Use exclusions setting to enable use of EDR telemetry exclusions.
4. Configure optimization of the volume of EDR telemetry:

   When Kaspersky Endpoint Agent is integrated with servers where KATA Central Node is installed, optimization of the volume of EDR telemetry should always be enabled.

   • Disable the Optimize the amount of telemetry setting if you want Kaspersky Endpoint Agent to send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol, WinRM service, and the Network Agent process klnagent.exe.
   • Enable the Optimize the amount of telemetry setting if you want Kaspersky Endpoint Agent to not send events with codes 102 (basic communications) and 8 (the process’s network activity) for the Microsoft SMB protocol and the Network Agent process klnagent.exe.

   If the Use exclusions setting is disabled, Kaspersky Endpoint Agent does not send events with codes 102 (basic communications) and 8 (the process's network activity) for the Microsoft SMB protocol and the Network Agent process klnagent.exe, regardless of the value of the Optimize the amount of telemetry setting.

5. Create a list of exclusions:
   1. Click the Add button.
   2. In the Rule properties window that opens, configure the exclusion settings:

      Exclusion settings are applied using a logical AND.

      To create an exclusion, specify the value in the Full path field and select at least one event type in the Use this exclusion for the following event types list.

      If the Network events value is selected for the Use this exclusion for the following event types criterion, specify the full path to the file in the Full path field.

      The object for which you create an exclusion must be available on the protected device at the time the exclusion settings are applied. For example, if you first configure exclusion for a specific application, and then install that application on the protected device, this exclusion will not be applied.

      1. In the Process information section, specify the values in the following fields:
         • Full path. Full path to the file, including its name and extension. You can use file masks (using the ? and * characters), as well as system environment variables.
         • Command line text. Command line to run the object.
         • Parent folder path. The path to the folder where the file is located.
      2. In the File properties section, specify the values in the following fields:
         • File description. The value of the FileDescription parameter from the resource of the RT_VERSION type (VersionInfo).
         • Original file name. The value of the OriginalFilename parameter from the resource of the RT_VERSION type (VersionInfo).
         • File version. The value of the FileVersion parameter from the resource of the RT_VERSION type (VersionInfo).
      3. In the File checksums section, specify the values in the following fields:
         • MD5. MD5 hash of the file.
         • SHA256. SHA256 hash of the file.
      4. In the Use this exclusion for the following event types list, select at least one value:
         • File modification.
         • Network events.
         • Interactive input in the console.

           This event type is selected by default.

         • Loading the process module.
         • Changes in the Registry.
   3. Click OK to save the changes and close the Rule properties window.

      The new exclusion is created and displayed in the list of exclusions.

   4. If you need to export the exclusion list to an XML file, click the Export button.
   5. If you need to import the exclusion list from an XML file, click the Import button.
   6. If you need to modify an exclusion, click the Modify button.
   7. If you need to delete an exclusion from the list, select the exclusion and click the Delete button.
6. If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on. It is the default position of the switch.
7. Click OK to save the changes.

Page top

Enabling and configuring exclusions for sent EDR telemetry about network communications

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can configure exclusions for EDR telemetry about network communications using Kaspersky Security Center Web Console, in the properties of an individual device or in the policy settings for a group of devices.

Exclusions for EDR telemetry about network communications are applied when Kaspersky Endpoint Agent is integrated with servers where Kaspersky Industrial CyberSecurity for Networks is installed.

Kaspersky Endpoint Agent does not analyze or send data matching exclusion settings to the server with KATA Central Node or Kaspersky Industrial CyberSecurity for Networks installed.

To enable and configure EDR telemetry about network communications:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the EDR telemetry section, select Excluded network communications.

   The Excluded network communications of the process window opens.

3. In the Exclusions settings group, enable the Use exclusions setting to enable use of EDR telemetry exclusions.
4. Create a list of exclusions:
   1. Click the Add button.
   2. In the Rule properties window that opens, configure the exclusion settings.

      Exclusion settings are applied using a logical AND.

      1. In the Name field, enter the name of the exclusion.
      2. In the Direction drop-down list, select the direction of network traffic.
      3. In the Protocol drop-down list, select the network protocol.
      4. If you select a custom protocol, in the Number field, enter the network protocol number.
      5. Select the Local port OR range check box and enter the port number or number range.

         For incoming connections (in the Direction drop-down list, Incoming is selected), enter the port or range of ports for the local device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the port or range of ports for the remote device.

         The values 1–65535 are available for port numbers.

         The values 1–10, 20–30000 and 1–65535 are available for a range of ports.

         Limitations:

         • For network connections of a local device running the Windows XP operating system, you can specify only a single port, because Windows XP does not support a range of ports.
         • For network connections of a remote device running the Windows XP operating system, you can specify a range of ports, but only the first port in the specified range is correctly applied, because Windows XP does not support a range of ports.
      6. Select the Remote port OR range check box and enter the port number or number range.

         For incoming connections (in the Direction drop-down list, Incoming is selected), enter the port or range of ports for the remote device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the port or range of ports for the local device.

         The values 1–65535 are available for port numbers.

         The values 1–10, 20–30000 and 1–65535 are available for a range of ports.

         Limitations:

         • For network connections of a local device running the Windows XP operating system, you can specify only a single port, because Windows XP does not support a range of ports.
         • For network connections of a remote device running the Windows XP operating system, you can specify a range of ports, but only the first port in the specified range is correctly applied, because Windows XP does not support a range of ports.
      7. Select the Local address check box and enter the network address of the device for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.

         For incoming exclusions (in the Direction drop-down list, Incoming is selected), enter the network address for the local device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the network address of the remote device.

         For IP addresses, only addresses in IPv4 format are supported.

      8. Select the Remote address check box and enter the network address of the device for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.

         For incoming connections (in the Direction drop-down list, Incoming is selected), enter the network address for the remote device.

         For outgoing connections (in the Direction drop-down list, Outgoing is selected), enter the network address for the local device.

         For IP addresses, only addresses in IPv4 format are supported.

      9. Create the list of application for which Kaspersky Endpoint Agent will not analyze or send EDR telemetry about network traffic in accordance with the exclusion settings.
         1. Select the Applications check box.
         2. In the field below, specify the path to the executable file of the application you want to add to the list. You can enter the path manually or with the help of the Browse button.
         3. Click the Add button.
         4. For each application you want to add to the list, repeat steps 2 and 3 of the guide.
         5. If necessary, remove an application from the list:
            1. Select the application in the list.
            2. Click the Delete button.
      10. Click OK to save the changes and close the Rule properties window.

          The new exclusion is created and displayed in the list of exclusions.

   3. If you need to modify an exclusion, click the Modify button.
   4. If you need to delete an exclusion, select the exclusion and click the Delete button.
5. If you are configuring the policy settings, make sure that the switch in the upper right corner of the group of settings is turned on. It is the default position of the switch.
6. Click OK to save the changes.

Page top

Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Before performing the following steps, get the MDR configuration file. It contains a configuration file (BLOB) required for integration.

By downloading the Kaspersky Managed Detection and Response configuration file, you agree to automatically send the data from the device with Kaspersky Endpoint Security installed to Kaspersky for processing. Do not download the configuration file if you do not want the transmitted data to be processed.

If you want Kaspersky Endpoint Agent to process data about events generated by Kaspersky Industrial CyberSecurity for Networks and send this data to Kaspersky Managed Detection and Response, configure interaction with Kaspersky Security Center in the settings of Kaspersky Industrial CyberSecurity for Networks. For detailed information on configuring interaction between the applications, refer to the Kaspersky Industrial CyberSecurity for Networks documentation.

To configure integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response using the Kaspersky Security Center Web Console:

1. Open the Kaspersky Security Center Web Console.
2. Open the Devices → Policies and profiles tab.
3. In the list of policies, select the name of Kaspersky Endpoint Agent policy that you want to configure.

   This opens the policy settings window.

4. Enable KSN Usage.

   Open the main window of the Kaspersky Security Center Web Console.

5. In the Administration Console tree, configure the Private KSN settings (for information on configuring Kaspersky Security Network proxy server settings, refer to Kaspersky Security Center Help).

   Download the Kaspersky Managed Detection and Response configuration file with the pkcs7 extension that is included in the mdr_config.zip archive.

6. To continue configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response, open the main window of the Kaspersky Security Center Web Console.
7. Open the Devices → Policies and profiles tab.
8. In the list of policies, select the name of Kaspersky Endpoint Agent policy that you want to configure.

   This opens the policy settings window.

9. On the Application settings tab, select Managed Detection and Response.
10. In the Managed Detection and Response settings group, do the following:
    1. Switch the toggle button to Managed Detection and Response enabled.
    2. Click the Upload configuration file (BLOB) button and select the BLOB configuration file to load.
    3. In the User identifier field, enter an arbitrary value.
    4. In the upper right corner of the settings group, change the switch from Undefined to Enforce.
11. Click Save to save the changes.

Integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response is configured.

MDR operation when using Kaspersky Endpoint Agent simultaneously with Kaspersky Endpoint Security

Kaspersky Endpoint Security 11 or later with the current database version supports interaction with MDR. In Kaspersky Endpoint Security 11.6.0 or later, interaction with MDR is available immediately after installation.

If you use Kaspersky Endpoint Agent to work with MDR and install Kaspersky Endpoint Security of the version that supports interaction with MDR or update Kaspersky Endpoint Security 11 or later databases to the current version, MDR stops working with Kaspersky Endpoint Agent and becomes available for work with Kaspersky Endpoint Security. At that:

• Switching between Kaspersky Endpoint Agent and Kaspersky Endpoint Security is performed in quiet mode.
• Kaspersky Endpoint Agent allows for configuring settings for interaction with MDR, but these settings are not applied on the device.
• If Kaspersky Endpoint Security is not available (for example, you uninstalled the application), MDR can start working with Kaspersky Endpoint Agent if you restart the Kaspersky Endpoint Agent service.
• The Managed Detection and Response component remains in the Running status in Kaspersky Endpoint Agent settings on the device, since Kaspersky Endpoint Agent continues to communicate with MDR (for example, to resume working with the solution if necessary).

Page top

Configuring storage settings in Kaspersky Endpoint Agent

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

This section describes how to configure the quarantine settings and data synchronization settings with the Administration Server by means of Kaspersky Endpoint Agent Management plug-in.

See also Opening Kaspersky Endpoint Agent settings window Configuring Kaspersky Endpoint Agent security settings Configuring Kaspersky Endpoint Agent connection settings to a proxy server Configuring Kaspersky Security Center as a proxy server for Kaspersky Endpoint Agent activation Configuring Kaspersky Endpoint Agent policy type Configuring KSN usage in Kaspersky Endpoint Agent Configuring integration between Kaspersky Endpoint Agent and KATA Central Node Configuring integration between Kaspersky Endpoint Agent and Kaspersky Managed Detection and Response Configuring failure diagnosis

In this section About Kaspersky Endpoint Agent quarantine About quarantine management in Kaspersky Endpoint Agent Configuring quarantine settings and restoration of objects from quarantine Configuring data synchronization with the Administration Server

Page top

About Kaspersky Endpoint Agent quarantine

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Quarantine is a special local repository on the device. The user can put files considered dangerous to the computer into quarantine. Quarantined files are stored in an encrypted form and therefore do not compromise your device's security.

By default, the local quarantine is located in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<application version>\Quarantine folder. By default, the objects restored from quarantine are stored in the %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\<application version>\Restored folder.

Kaspersky Security Center generates a common list of quarantined objects on devices with Kaspersky Endpoint Agent installed. Network Agents on the devices submit information about quarantined files to the Administration Server.

Kaspersky Security Center Network Agent does not copy files from quarantine to the Administration Server. All objects are stored on protected devices with Kaspersky Endpoint Agent installed. Objects are restored from the quarantine also on the protected devices.

See also About quarantine management in Kaspersky Endpoint Agent Configuring quarantine settings and restoration of objects from quarantine Configuring data synchronization with the Administration Server

Page top

About quarantine management in Kaspersky Endpoint Agent

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can use Kaspersky Security Center to configure quarantine settings, view the properties of the quarantined objects on the protected devices, delete quarantined objects, and restore objects from Quarantine. For detailed information on managing the quarantined objects using Kaspersky Security Center, refer to Kaspersky Security Center documentation.

In order for Kaspersky Endpoint Agent to send data about quarantined objects to Kaspersky Security Center Administration Server, the corresponding option must be enabled in the quarantine settings in Kaspersky Endpoint Agent policy. This option is enabled by default.

Using the command line interface on the device, you can view information about quarantine settings and properties of the quarantined objects.

Kaspersky Endpoint Agent quarantines object under the system account (SYSTEM).

Quarantined objects can be removed using the command line interface only with the permissions of the local account of the protected device user.

See also About Kaspersky Endpoint Agent quarantine Configuring quarantine settings and restoration of objects from quarantine Configuring data synchronization with the Administration Server

Page top

Configuring quarantine settings and restoration of objects from quarantine

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

To configure quarantine settings:

1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
2. Select the policy you want to configure.
3. In the <Policy name> window that opens, select the Application settings tab.
4. In the Repositories section select the Quarantine subsection.
5. In the Quarantine settings section configure the quarantine settings:
   1. In the Quarantine folder field, enter the path to where you want to create the Quarantine folder on the devices or click Browse and select the path.

      The default path is %SOYUZAPPDATA%\Quarantine\. The Quarantine folder is created on all devices with Kaspersky Endpoint Agent at the following path: %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0.

      The value of the %ALLUSERSPROFILE% variable depends on the operating system of the device where Kaspersky Endpoint Agent is installed.

      Example: If the device has the Windows 7 operating system installed and Kaspersky Endpoint Agent is installed on drive C, the path to the Quarantine folder will be: C:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Quarantine

   2. To configure the maximum quarantine size, select the Maximum Quarantine size (MB) check box and specify the maximum size of quarantine in megabytes or select it from the list.

      For example, you can set the maximum quarantine size to 200 MB.

      When the maximum quarantine size is reached, Kaspersky Endpoint Agent will publish the corresponding event on Kaspersky Security Center server and in the Windows Event Log, but will not stop quarantining new objects.

   3. To specify the quarantine threshold (the space in quarantine remaining until the maximum quarantine size is reached), select the Threshold value for space available (MB) check box.

      For example, you can set the quarantine threshold value to 50 MB.

      When the quarantine threshold is reached, Kaspersky Endpoint Agent will publish the corresponding event on the Kaspersky Security Center server and in the Windows Event Log, but will not stop quarantining new objects.

6. In the Restoring objects from Quarantine section, in the Target folder for restored objects field, specify the path to create the folder for objects restored from quarantine.

   The default path is %SOYUZAPPDATA%\Restored\. The Restored folder is created on all devices with Kaspersky Endpoint Agent at the following path: %ALLUSERSPROFILE%\Kaspersky Lab\Endpoint Agent\4.0.

   The value of the %ALLUSERSPROFILE% variable depends on the operating system of the device where Kaspersky Endpoint Agent is installed.

   Example: If the device has the Windows 7 operating system installed and Kaspersky Endpoint Agent is installed on drive C, the path to the folder with the objects restored from quarantine will be: C:\ProgramData\Kaspersky Lab\Endpoint Agent\4.0\Restored

7. If you configure the policy settings, in the upper right corner of the group of settings, change the switch from Undefined to Enforce.
8. Click Apply and OK.

The quarantine settings and the folder for restoring objects from quarantine have been configured.

See also About Kaspersky Endpoint Agent quarantine About quarantine management in Kaspersky Endpoint Agent Configuring data synchronization with the Administration Server

Page top

Configuring data synchronization with the Administration Server

Expand all | Collapse all

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

You can configure synchronization of data on quarantined objects on managed devices with Kaspersky Security Center Administration Server.

To configure data synchronization with the Administration Server:

1. Do one of the following:
   • Open the application properties window for an individual device.
     1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
     2. Select the device.
     3. In the <Device name> window that opens, select the Applications tab.
     4. Select Kaspersky Endpoint Agent.
     5. In the window that opens, select the Application settings tab.
   • Open the policy properties window.
     1. In the main Kaspersky Security Center Web Console window select Devices → Policies and profiles.
     2. Select the policy you want to configure.
     3. In the <Policy name> window that opens, select the Application settings tab.
2. In the Repositories section select the Synchronization with Administration Server subsection.
3. Select the Data about quarantined objects on managed devices.
4. Click OK.
5. Click the Save button.

Data synchronization with the Administration Server is configured.

See also About Kaspersky Endpoint Agent quarantine About quarantine management in Kaspersky Endpoint Agent Configuring quarantine settings and restoration of objects from quarantine

Page top

Configuring failure diagnosis

This section provides information related to Kaspersky Endpoint Agent for Windows. This information may be partially or completely inapplicable to Kaspersky Endpoint Agent for Linux. For complete information about Kaspersky Endpoint Agent for Linux, please refer to the Help of the solution that includes the application: Kaspersky Anti Targeted Attack Platform or Kaspersky Managed Detection and Response.

Kaspersky Endpoint Agent does not automatically create a folder for storing trace or dump files on the device. Specify a folder that is already available on the device.

To configure failure diagnosis:

1. Open the application properties window for an individual device.
   1. In the main Kaspersky Security Center Web Console window select Devices → Managed devices.
   2. Select the device.
   3. In the <Device name> window that opens, select the Applications tab.
   4. Select Kaspersky Endpoint Agent.
   5. In the window that opens, select the Application settings tab.
2. In the Application settings section select the Failure diagnosis subsection.
3. To enable logging of debug information to the trace files:
   1. Enable the Write debug information to trace files option.
   2. In the Trace files folder field, specify the path to the folder on the device where the application saves the trace files.

      Make sure that the specified folder is available on the managed device. Otherwise, the debug information will not be saved.

   3. In the Maximum trace file size (MB) field, specify the file size in megabytes.

      The default value is 50 MB. When the specified file size is reached, the application continues writing to a new file.

4. If you want the application to overwrite old trace files:
   1. Enable the Overwrite old trace files option.
   2. Enter the desired value in the Maximum number of files per trace log field.

      The default value is 1 file. When the specified number of files is reached, the application overwrites old files, starting with the oldest one. The specified limit is applied separately for each Kaspersky Endpoint Agent process being debugged, so the total number of files for all processes may exceed the specified value.

5. To enable logging of dump files:
   1. Enable the Create dump files option.
   2. In the Dump files folder field, specify the folder to save the dump files.

      Make sure that the specified folder is available on the managed device. Otherwise, the debug information will not be saved.

6. Click OK.

Failure diagnostics is configured and enabled for all Kaspersky Endpoint Agent processes that are currently running. Failure diagnostics files will be generated in the folders you specified.

Page top